<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="FileBeat 快速入门 安装 # 下载 $ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.3-darwin-x86_64.tar.gz $ tar xzvf filebeat-7.9.3-darwin-x86_64.tar.gz $ cd filebeat-7.9.3-darwin-x86_64 最简单的输入输出 创建配置文件 filebeat-stdin-stdout.yml
# 标准输入 filebeat.inputs: - type: stdin enabled: true # 输入的内容按照 逗号切割，拆分成三个字段 processors: - dissect: tokenizer: &#34;%{one},%{two},%{three}&#34; # 默认是 dissect ，如果为空字符串，则拆分到 root 下 # target_prefix: &#34;&#34; # 标准输出 output.console: enable: true pretty: true 运行
# 启动 filebeat ## -c 指定配置文件 $ ./filebeat -e -c filebeat-stdin-stdout.yml 输出内容
## 输入 1,2,3 1,2,3 # # 输出内容如下 # { &#34;@timestamp&#34;: &#34;2023-06-03T15:28:46."><meta property="og:title" content="" />
<meta property="og:description" content="FileBeat 快速入门 安装 # 下载 $ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.3-darwin-x86_64.tar.gz $ tar xzvf filebeat-7.9.3-darwin-x86_64.tar.gz $ cd filebeat-7.9.3-darwin-x86_64 最简单的输入输出 创建配置文件 filebeat-stdin-stdout.yml
# 标准输入 filebeat.inputs: - type: stdin enabled: true # 输入的内容按照 逗号切割，拆分成三个字段 processors: - dissect: tokenizer: &#34;%{one},%{two},%{three}&#34; # 默认是 dissect ，如果为空字符串，则拆分到 root 下 # target_prefix: &#34;&#34; # 标准输出 output.console: enable: true pretty: true 运行
# 启动 filebeat ## -c 指定配置文件 $ ./filebeat -e -c filebeat-stdin-stdout.yml 输出内容
## 输入 1,2,3 1,2,3 # # 输出内容如下 # { &#34;@timestamp&#34;: &#34;2023-06-03T15:28:46." />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://hello-world-example.gitee.io/elasticbeats/docs/Filebeat/Quick-Start/" />
<meta property="article:modified_time" content="2023-06-04T01:09:09+08:00" />
<title>Quick Start | ElasticBeats</title>
<link rel="icon" href="/elasticbeats/favicon.png" type="image/x-icon">


<link rel="stylesheet" href="/elasticbeats/book.min.00b8e784201abfe629a6e0741e94bf44575af8612aec171d94e4ecbd3692cf5c.css" integrity="sha256-ALjnhCAav&#43;YppuB0HpS/RFda&#43;GEq7BcdlOTsvTaSz1w=">


<!--
Made with Book Theme
https://github.com/alex-shpak/hugo-book
-->

  
</head>

<body>
  <input type="checkbox" class="hidden" id="menu-control" />
  <main class="container flex">
    <aside class="book-menu">
      
  <nav>
<h2 class="book-brand">
  <a href="/elasticbeats"><span>ElasticBeats</span>
  </a>
</h2>












  <ul>
<li>
  <a href="http://hello-world-example.gitee.io/elasticsearch"><strong>ElasticSearch 🔗</strong></a></li>
<li><strong>Filebeat</strong>
<ul>
<li>
  <a href="/elasticbeats/docs/Filebeat/Quick-Start/"class=active>Quick Start</a></li>
</ul>
</li>
<li><strong>Packetbeat</strong>
<ul>
<li>
  <a href="/elasticbeats/docs/Packetbeat/Quick-Start/">Quick Start</a></li>
</ul>
</li>
</ul>










</nav>




  <script>(function(){var menu=document.querySelector("aside.book-menu nav");addEventListener("beforeunload",function(event){localStorage.setItem("menu.scrollTop",menu.scrollTop);});menu.scrollTop=localStorage.getItem("menu.scrollTop");})();</script>


 
    </aside>

    <div class="book-page">
      <header class="book-header">
        
  <div class="flex align-center justify-between">
  <label for="menu-control">
    <img src="/elasticbeats/svg/menu.svg" class="book-icon" alt="Menu" />
  </label>

  <strong>Quick Start</strong>

  <label for="toc-control">
    <img src="/elasticbeats/svg/toc.svg" class="book-icon" alt="Table of Contents" />
  </label>
</div>


  
    <input type="checkbox" class="hidden" id="toc-control" />
    <aside class="hidden clearfix">
      
  <nav id="TableOfContents">
  <ul>
    <li><a href="#filebeat-快速入门">FileBeat 快速入门</a>
      <ul>
        <li><a href="#安装">安装</a></li>
        <li><a href="#最简单的输入输出">最简单的输入输出</a></li>
        <li><a href="#输出日志到-es">输出日志到 ES</a></li>
        <li><a href="#子命令">子命令</a>
          <ul>
            <li><a href="#filebeat-modules">filebeat modules</a></li>
            <li><a href="#filebeat-test">filebeat test</a></li>
          </ul>
        </li>
        <li><a href="#read-more">Read More</a></li>
      </ul>
    </li>
  </ul>
</nav>


    </aside>
  
 
      </header>

      
      
  <article class="markdown"><h1 id="filebeat-快速入门">FileBeat 快速入门</h1>
<h2 id="安装">安装</h2>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># 下载</span>
$ wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.3-darwin-x86_64.tar.gz
$ tar xzvf filebeat-7.9.3-darwin-x86_64.tar.gz
$ cd filebeat-7.9.3-darwin-x86_64 
</code></pre></div><h2 id="最简单的输入输出">最简单的输入输出</h2>
<p>创建配置文件 <code>filebeat-stdin-stdout.yml</code></p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># 标准输入</span>
filebeat.inputs:
- type: stdin
  enabled: true

<span style="color:#75715e"># 输入的内容按照 逗号切割，拆分成三个字段</span>
processors:
  - dissect:
      tokenizer: <span style="color:#e6db74">&#34;%{one},%{two},%{three}&#34;</span>
      <span style="color:#75715e"># 默认是 dissect ，如果为空字符串，则拆分到 root 下</span>
      <span style="color:#75715e"># target_prefix: &#34;&#34;</span>   

<span style="color:#75715e"># 标准输出</span>
output.console:
  enable: true
  pretty: true
</code></pre></div><p>运行</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># 启动 filebeat</span>
<span style="color:#75715e">## -c 指定配置文件</span>
$ ./filebeat -e -c filebeat-stdin-stdout.yml 
</code></pre></div><p>输出内容</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e">## 输入 1,2,3</span>
1,2,3
#
<span style="color:#75715e"># 输出内容如下</span>
#
<span style="color:#f92672">{</span>
  <span style="color:#e6db74">&#34;@timestamp&#34;</span>: <span style="color:#e6db74">&#34;2023-06-03T15:28:46.993Z&#34;</span>,
  <span style="color:#e6db74">&#34;@metadata&#34;</span>: <span style="color:#f92672">{</span>
    <span style="color:#e6db74">&#34;beat&#34;</span>: <span style="color:#e6db74">&#34;filebeat&#34;</span>,
    <span style="color:#e6db74">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;_doc&#34;</span>,
    <span style="color:#e6db74">&#34;version&#34;</span>: <span style="color:#e6db74">&#34;7.9.3&#34;</span>
  <span style="color:#f92672">}</span>,
  <span style="color:#e6db74">&#34;dissect&#34;</span>: <span style="color:#f92672">{</span>         <span style="color:#75715e"># 输入内容拆分成了三个字段</span>
    <span style="color:#e6db74">&#34;three&#34;</span>: <span style="color:#e6db74">&#34;3&#34;</span>,
    <span style="color:#e6db74">&#34;one&#34;</span>: <span style="color:#e6db74">&#34;1&#34;</span>,
    <span style="color:#e6db74">&#34;two&#34;</span>: <span style="color:#e6db74">&#34;2&#34;</span>
  <span style="color:#f92672">}</span>,
  <span style="color:#e6db74">&#34;log&#34;</span>: <span style="color:#f92672">{</span>
    <span style="color:#e6db74">&#34;offset&#34;</span>: 0,
    <span style="color:#e6db74">&#34;file&#34;</span>: <span style="color:#f92672">{</span>
      <span style="color:#e6db74">&#34;path&#34;</span>: <span style="color:#e6db74">&#34;&#34;</span>
    <span style="color:#f92672">}</span>
  <span style="color:#f92672">}</span>,
  <span style="color:#e6db74">&#34;message&#34;</span>: <span style="color:#e6db74">&#34;1,2,3&#34;</span>,    <span style="color:#75715e"># 原始输入内容</span>
  <span style="color:#e6db74">&#34;input&#34;</span>: <span style="color:#f92672">{</span>
    <span style="color:#e6db74">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;stdin&#34;</span>
  <span style="color:#f92672">}</span>,
  <span style="color:#e6db74">&#34;ecs&#34;</span>: <span style="color:#f92672">{</span>
    <span style="color:#e6db74">&#34;version&#34;</span>: <span style="color:#e6db74">&#34;1.5.0&#34;</span>
  <span style="color:#f92672">}</span>,
  <span style="color:#e6db74">&#34;host&#34;</span>: <span style="color:#f92672">{</span>
    <span style="color:#e6db74">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;KaildeMBP&#34;</span>
  <span style="color:#f92672">}</span>,
  <span style="color:#e6db74">&#34;agent&#34;</span>: <span style="color:#f92672">{</span>
    <span style="color:#e6db74">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;filebeat&#34;</span>,
    <span style="color:#e6db74">&#34;version&#34;</span>: <span style="color:#e6db74">&#34;7.9.3&#34;</span>,
    <span style="color:#e6db74">&#34;hostname&#34;</span>: <span style="color:#e6db74">&#34;KaildeMBP&#34;</span>,
    <span style="color:#e6db74">&#34;ephemeral_id&#34;</span>: <span style="color:#e6db74">&#34;08b27272-39bc-411b-86d5-7599dc027a50&#34;</span>,
    <span style="color:#e6db74">&#34;id&#34;</span>: <span style="color:#e6db74">&#34;45ca9284-3f60-419e-907d-130e32a2d63b&#34;</span>,
    <span style="color:#e6db74">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;KaildeMBP&#34;</span>
  <span style="color:#f92672">}</span>
<span style="color:#f92672">}</span>
</code></pre></div><h2 id="输出日志到-es">输出日志到 ES</h2>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">#
<span style="color:#75715e"># 清除日志文件进度的偏移量，否则多次读取同一个文件，会直接跳到结尾</span>
<span style="color:#75715e"># rm data/registry/filebeat/log.json</span>
# 
<span style="color:#75715e"># ./filebeat -e -c filebeat-log-es.yml</span>
#

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - access.*.log

processors:
  - dissect:
      tokenizer: <span style="color:#e6db74">&#34;%{time_iso8601}	%{request_uri}	%{status}	%{bytes_sent}	%{upstream_cache_status}	%{request_time}	%{upstream_response_time}	%{host}	%{remote_addr}	%{server_addr}	%{upstream_addr}	%{http_referer}	%{http_user_agent}	%{http_x_forwarded_for}	...&#34;</span>
      target_prefix: <span style="color:#e6db74">&#34;dissect&#34;</span>
  - timestamp:
      field: <span style="color:#e6db74">&#34;dissect.time_iso8601&#34;</span>
      layouts:
        - <span style="color:#e6db74">&#39;2006-01-02T15:04:05+08:00&#39;</span>
        - <span style="color:#e6db74">&#39;2006-01-02T15:04:05.999Z&#39;</span>
        - <span style="color:#e6db74">&#39;2006-01-02T15:04:05.999-07:00&#39;</span>
      test:
        - <span style="color:#e6db74">&#39;2019-06-22T16:33:51+08:00&#39;</span>
        - <span style="color:#e6db74">&#39;2019-11-18T04:59:51.123Z&#39;</span>
        - <span style="color:#e6db74">&#39;2020-08-03T07:10:20.123456+02:00&#39;</span>
  - drop_fields:
      fields: <span style="color:#f92672">[</span><span style="color:#e6db74">&#34;agent&#34;</span>, <span style="color:#e6db74">&#34;host&#34;</span>, <span style="color:#e6db74">&#34;ecs&#34;</span>, <span style="color:#e6db74">&#34;input&#34;</span>, <span style="color:#e6db74">&#34;log&#34;</span><span style="color:#f92672">]</span>


setup.dashboards.index: <span style="color:#e6db74">&#34;accesslog-*&#34;</span>
setup.template.name: <span style="color:#e6db74">&#34;accesslog-template&#34;</span>
setup.template.pattern: <span style="color:#e6db74">&#34;accesslog-*&#34;</span>
setup.template.settings.index.number_of_shards: <span style="color:#ae81ff">1</span>
setup.template.settings.index.number_of_replicas: <span style="color:#ae81ff">0</span>


setup.dashboards.index: <span style="color:#e6db74">&#34;accesslog-*&#34;</span>
setup.template.name: <span style="color:#e6db74">&#34;accesslog-template&#34;</span>
setup.template.pattern: <span style="color:#e6db74">&#34;accesslog-*&#34;</span>
setup.template.settings.index.number_of_shards: <span style="color:#ae81ff">1</span>
setup.template.settings.index.number_of_replicas: <span style="color:#ae81ff">0</span>
setup.template.settings._source.enabled: false


<span style="color:#75715e"># https://www.elastic.co/guide/en/beats/libbeat/7.9/config-file-format-namespacing.html</span>
output.elasticsearch.index: <span style="color:#e6db74">&#34;accesslog-%{+yyyy.MM.dd}&#34;</span> 
output.elasticsearch.hosts: <span style="color:#f92672">[</span><span style="color:#e6db74">&#34;192.168.31.164:9200&#34;</span><span style="color:#f92672">]</span>
output.elasticsearch.protocol: <span style="color:#e6db74">&#34;http&#34;</span>
</code></pre></div><h2 id="子命令">子命令</h2>
<h3 id="filebeat-modules">filebeat modules</h3>
<p>Filebeat 内置了一些常用系统的日志模板，模板最默认的日志格式进行定义和解析</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># 查看启用的模块</span>
$ ./filebeat modules list


<span style="color:#75715e"># 启用 Nginx 模块</span>
$ ./filebeat modules enable nginx

<span style="color:#75715e"># 禁用 Nginx 模块</span>
$ ./filebeat modules disable nginx
</code></pre></div><h3 id="filebeat-test">filebeat test</h3>
<p>校验配置是否正确</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># 校验配置是否正确</span>
$ filebeat test config
Config OK

<span style="color:#75715e"># 校验 output 是否正确</span>
$ filebeat test output
elasticsearch: http://192.168.31.164:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.31.164
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.9.3
</code></pre></div><h2 id="read-more">Read More</h2>
<ul>
<li>
  <a href="https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-overview.html">Filebeat overview | Filebeat Reference 7.9 | Elastic</a></li>
<li></li>
</ul>
</article>
 
      

      <footer class="book-footer">
        
  <div class="flex justify-between">



  <div>
    
    <a class="flex align-center" href="https://gitee.com/hello-world-example/ElasticBeats/commit/d0b24fccdad42c9be1956108fd7b28e11f5b3342" title='Last modified by kaibin.yang | Jun 4, 2023' target="_blank" rel="noopener">
      <img src="/elasticbeats/svg/calendar.svg" class="book-icon" alt="Calendar" />
      <span>Jun 4, 2023</span>
    </a>
  </div>



  <div>
    <a class="flex align-center" href="https://gitee.com/hello-world-example/ElasticBeats/edit/master/HuGo/content/docs/Filebeat/Quick-Start.md" target="_blank" rel="noopener">
      <img src="/elasticbeats/svg/edit.svg" class="book-icon" alt="Edit" />
      <span>Edit this page</span>
    </a>
  </div>

</div>

 
        <script>
    var images = document.getElementsByTagName("img")
    for (var i = 0; i < images.length; i++) {
        var image = images[i]
        var src = image.getAttribute("src");
         
        if (src.startsWith("-images")) {
            image.setAttribute("src", "../" + src)
        }
         
        if (window.location.href.indexOf("/posts/")) {
            src = src.replace("../drawio/", "../../drawio/")
            image.setAttribute("src", src)
        }
         
        if (src.startsWith("../drawio/")) {
            image.setAttribute("src", src.replace("../drawio/", "../"))
        }

         
        if(src.indexOf("/svg/") < 0){
             
            image.onclick = function (e) {
                window.open(e.target.getAttribute("src"))
            }
        }
    }

</script>

      </footer>

      
  
  <div class="book-comments">

</div>
  
 

      <label for="menu-control" class="hidden book-menu-overlay"></label>
    </div>

    
    <aside class="book-toc">
      
  <nav id="TableOfContents">
  <ul>
    <li><a href="#filebeat-快速入门">FileBeat 快速入门</a>
      <ul>
        <li><a href="#安装">安装</a></li>
        <li><a href="#最简单的输入输出">最简单的输入输出</a></li>
        <li><a href="#输出日志到-es">输出日志到 ES</a></li>
        <li><a href="#子命令">子命令</a>
          <ul>
            <li><a href="#filebeat-modules">filebeat modules</a></li>
            <li><a href="#filebeat-test">filebeat test</a></li>
          </ul>
        </li>
        <li><a href="#read-more">Read More</a></li>
      </ul>
    </li>
  </ul>
</nav>

 
    </aside>
    
  </main>

  
</body>

</html>












